What is the PSAP exam format?

The PSAP is a fully practical exam with no multiple-choice questions or flags to capture. You are placed in a cloud-hosted simulated corporate network and have 3 full days (72 hours) to investigate a realistic security incident. You then have 2 additional days (48 hours) to write and submit a professional incident response report. Your performance is evaluated on investigation quality, accuracy, and report completeness.

What is the difference between PSAA and PSAP?

The PSAA (Practical SOC Analyst Associate) is TCM Security's foundational SOC exam covering phishing analysis, alert triage, SIEM basics, and incident documentation — it is a 2-day exam. The PSAP is the advanced successor, focused on proactive threat hunting, DFIR, advanced SIEM analytics, attacker TTP reconstruction with MITRE ATT&CK, and senior IR reporting — a 3-day practical plus 2-day report. The PSAP corresponds to the SOC 201 course while the PSAA corresponds to SOC 101.

What course should I take to prepare for the PSAP?

TCM Security's Security Operations (SOC) 201 course is the designated preparation material and is included with the PSAP exam purchase (12 months access). The 25+ hour course covers threat hunting methodology (including the Hunting Maturity Model and MITRE ATT&CK Navigator), Windows forensic artifacts, data collection at scale with Kansa and PowerShell remoting, SIEM analytics in Splunk, anomaly detection, and practical IR lab scenarios.

Does the PSAP certification expire?

The PSAP certification does not expire. Once earned, it remains valid indefinitely. The exam voucher is valid for 12 months from the date of purchase — you must begin your exam within that window.

What jobs can the PSAP help me get?

The PSAP validates senior SOC and IR skills suited for roles including: Threat Hunter ($90,000-$140,000), Incident Responder ($85,000-$130,000), Senior SOC Analyst ($80,000-$120,000), and Detection Engineer ($95,000-$145,000). The practical format demonstrates real-world investigation capability that employers value more than multiple-choice certifications for operational security roles.

Is this practice test representative of the real PSAP exam?

No — this is a knowledge-prep multiple-choice practice test. The real PSAP is a fully hands-on practical exam where you must actively investigate a compromised corporate environment. This practice test builds the conceptual knowledge base (ATT&CK TTPs, forensic artifacts, SIEM queries, IR methodology) needed for the exam, but you must develop hands-on investigation skills in lab environments to pass the actual PSAP.

All Practice Exams

100+ Free PSAP Practice Questions

TCM Practical SOC Analyst Professional practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

In a threat hunt for lateral movement, an analyst wants to find hosts that have had a large number of distinct source hosts authenticate to them within a short window — indicating potential lateral movement sweeps. Which Splunk SPL approach achieves this?

| table src_ip, dest_ip, EventCode | where EventCode=4624

| stats dc(src_ip) as unique_sources by dest_ip | where unique_sources > 20

| stats count by dest_ip | sort -count | head 10

| rare dest_ip by src_ip

to track

Same family resources

Explore More TCM Security Practical Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

2026 Statistics

Key Facts: PSAP Exam

$499

Exam Fee

TCM Security

3 + 2 days

Exam + Report Window

TCM Security

25+ hours

SOC 201 Training Included

TCM Security

1 free

Retake Included

TCM Security

No expiry

Certification Validity

TCM Security

Non-proctored

Exam Supervision

TCM Security

The PSAP is TCM Security's intermediate-to-advanced SOC certification focused on proactive threat hunting and DFIR. The 3-day practical exam requires you to investigate a realistic corporate compromise, map attacker TTPs to MITRE ATT&CK, and submit a professional incident response report within 2 additional days. Powered by the SOC 201 course (25+ hours). Cost: $499 including 1 retake. This knowledge-prep practice test covers the conceptual body of knowledge; the real exam tests hands-on investigation skills in a live environment.

Sample PSAP Practice Questions

Try these sample questions to test your PSAP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which threat hunting maturity model level describes an organization that relies exclusively on automated alerting with no proactive hunting capability?

A.Level 0 — Initial

B.Level 1 — Minimal

C.Level 2 — Procedural

D.Level 3 — Innovative

Explanation: The Hunting Maturity Model (HMM) places Level 0 (Initial) organizations at the lowest tier — they depend entirely on reactive, automated alerts and have no proactive threat hunting program. Movement to Level 1 introduces manual indicator-based searches, while higher levels involve procedural and hypothesis-driven hunting.

2A threat hunter is building a hypothesis before a hunt. Which input best drives a TTP-based hunting hypothesis according to the MITRE ATT&CK framework?

A.A specific ATT&CK technique observed in recent threat reports

B.Known bad IP addresses from a threat feed

C.Open vulnerability scanner findings

D.Firewall block counts from the past 24 hours

Explanation: TTP-based hypotheses are anchored to specific adversary behaviors (techniques and sub-techniques) from ATT&CK rather than atomic indicators like IPs. Starting from a technique — such as T1059.001 (PowerShell) — lets hunters look for behavioral patterns that persist even when indicators rotate.

3During an investigation, an analyst observes a Windows process with a parent of 'svchost.exe' spawning 'cmd.exe' which in turn executes 'whoami.exe'. Which MITRE ATT&CK technique does this process tree most strongly suggest?

A.T1059.003 — Windows Command Shell

B.T1055 — Process Injection

C.T1543.003 — Windows Service

D.T1078 — Valid Accounts

Explanation: Seeing 'cmd.exe' spawned from a service host and then executing discovery commands like 'whoami.exe' is a classic indicator of T1059.003 (Windows Command Shell execution). The process tree pattern — svchost → cmd.exe → whoami — is common in post-exploitation scenarios where attackers use shell commands for local reconnaissance.

4Which PowerShell command-line artifact in Windows Event ID 4104 (Script Block Logging) most strongly indicates an attacker is attempting to bypass the Execution Policy?

A.-ExecutionPolicy Bypass

B.-NonInteractive

C.-WindowStyle Hidden

D.-EncodedCommand

Explanation: The '-ExecutionPolicy Bypass' flag directly overrides PowerShell's script execution policy, allowing unsigned scripts to run without restriction. This is one of the most commonly logged indicators in Event ID 4104 for malicious PowerShell use. Script Block Logging captures the decoded script content, making this flag clearly visible.

5An analyst reviews Splunk logs and notices a spike in outbound DNS queries from a single endpoint to randomized 30-character subdomains of a single apex domain. What technique does this most likely indicate?

A.DNS Tunneling (C2)

B.DNS Cache Poisoning

C.DNS Zone Transfer

D.BGP Hijacking

Explanation: High-volume outbound DNS queries to algorithmically generated or randomized long subdomains of a fixed apex domain is the hallmark of DNS tunneling used for command-and-control (T1071.004). Attackers encode data in subdomains to exfiltrate data or receive instructions while blending into normal DNS traffic.

6When performing a host-based forensic acquisition, which approach best preserves evidence integrity for live volatile memory collection?

A.Reboot the host before imaging to clear unstable data

B.Use a write blocker and image memory to a network share immediately

C.Dump memory using a tool like WinPmem before any other actions on the system

D.Copy the pagefile.sys to preserve swap data first

Explanation: Volatile memory (RAM) must be captured first before any other actions because it contains running processes, network connections, encryption keys, and injected code that will be lost on reboot or system state change. WinPmem is a standard open-source tool used for live memory acquisition on Windows.

7Which Windows artifact records the execution of programs even when they have been deleted from disk, making it valuable for proving execution during a DFIR investigation?

A.Windows Event Log (Security)

B.MFT ($MFT)

C.Prefetch files (.pf)

D.AmCache.hve

Explanation: Windows Prefetch files are created for executables that run on a system and store the executable name, path hash, run count, and last eight run times. Critically, Prefetch entries persist after the binary is deleted, providing strong evidence of execution history that can survive anti-forensics attempts.

8During an intrusion timeline reconstruction, an analyst needs to determine the first time a specific DLL was loaded into a process. Which data source most directly provides this information?

A.Sysmon Event ID 7 (ImageLoad)

B.Windows Security Event ID 4688 (Process Creation)

C.Sysmon Event ID 1 (Process Create)

D.Windows System Event ID 7036 (Service State Change)

Explanation: Sysmon Event ID 7 (ImageLoad) records when a DLL or other image file is loaded into a process, including the image path, hash, and the process that performed the load. This is the authoritative source for DLL load history and is essential for detecting DLL hijacking, side-loading, and reflective injection.

9A threat hunter is looking for lateral movement via PsExec. Which combination of artifacts provides the strongest corroborating evidence of PsExec execution on a target host?

A.PSEXESVC service creation (Event ID 7045) + ADMIN$ share access (Event ID 5140)

B.Failed logon events (Event ID 4625) + DNS query logs

C.Scheduled task creation (Event ID 4698) + WMI subscription events

D.Firewall allow rule creation + AppLocker events

Explanation: PsExec works by copying its service binary (PSEXESVC.exe) to the ADMIN$ share and creating a service on the target. Event ID 7045 (new service installed) showing PSEXESVC combined with Event ID 5140 (network share accessed) for ADMIN$ on the same target host and timeframe is definitive evidence of PsExec lateral movement.

10In Splunk, a threat hunter wants to find all PowerShell processes where the encoded command argument length exceeds 500 characters. Which SPL clause correctly filters for this?

A.| where len(CommandLine) > 500 AND CommandLine LIKE "%EncodedCommand%"

B.| stats count by CommandLine | where count > 500

C.| eval cmd_len=len(CommandLine) | where cmd_len > 500 | search CommandLine=*EncodedCommand*

D.| table CommandLine | eval length > 500

Explanation: The correct SPL pattern uses eval to calculate string length, filters with a where clause, then searches for the EncodedCommand flag. This leverages Splunk's eval/where pipeline correctly. The len() function computes character length of the field, which is the right approach for detecting abnormally long encoded commands.

About the PSAP Practice Questions

Verified exam format metadata for TCM Practical SOC Analyst Professional is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.

100+ Free PSAP Practice Questions

Explore More TCM Security Practical Certifications

TCM Security Practical IoT Pentest Associate (PIPA)

TCM Security Practical Junior Penetration Tester (PJPT)

TCM Security Practical Malware Research Professional (PMRP)

TCM Security Practical Mobile Pentest Associate (PMPA)

TCM Security Practical Network Penetration Tester (PNPT)

TCM Security Practical OSINT Research Professional (PORP)

Key Facts: PSAP Exam

Sample PSAP Practice Questions

About the PSAP Practice Questions